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SECTION  I 


INTRODUCTION 

This  report  documents  an  extension  of  the  research  begun  in 
"Secure  Computer  Systems:  Mathematical  Foundations"^  and 

(2) 

continued  in  "Secure  Computer  Systems:  A  Mathematical  Model." 

This  extension  was  undertaken  to  investigate  important  facets  of 
secure  computer  systems  not  directly  covered  by  "A  Mathematical 
Model."  To  make  clear  the  relation  between  the  model  of  the  earlier 
volumes  and  the  refinements  of  this  volume,  I  include  in  this 
section  both  a  brief  description  of  the  model  and  an  outline  of 
this  report,  incorporating  an  explanation  of  each  refinement's  place 
i ri  the  general  scheme  of  the  model. 

The  models  presented  in  the  earlier  volumes  c 'r  this  senes  can 
be  described  very  simply.  The  major  elements  of  the  models  are  subjects 
objects,  access  attributes,  and  access  rules.  One  can  think  of 
subjects  as  representing  user  surrogates.  Similarly,  objects  can  be 
thought  of  as  representing  various  entities  within  the  system  including 
such  things  as  data,  stored  programs,  line  printers,  and  teletypewriters 
The  access  attributes  in  Volume  II  were  read,  execute ,  wri te,  append, 
and  control .  The  first  four  represent  in  a  qeneral  way  the  mode  of 
access  suggested  by  their  names;  the  last  one,  control ,  is  an  attribute 
which  represents  the  power  of  a  subject  to  give  or  rescind  another 
subject's  acucs-  uo  an  object.  The  access  rules  are  functions  which 


specify  allowable  changes  to  subjects'  access  to  objects  so  that 

i 

"security"  is  maintained.  Security  is  defined  as  a  particular- 
relation  between  the  security  level  of  a  subject  and  the  levels  of 
the  objects  it  has  access  to.  at  a  given  instant.  In  addition,  the 
model's  access  rules  prevent  a  certain  set  of  circumstances  wherein 
the  potential  for  security  compromise  exists.  This  last  property 
of  the  access  rules  is  guaranteed  by  the  preservation  of  a  property 
called  "‘-property."  Thus,  the  model  describes  the  interrelation 
of  subjects  and  objects,  each  with  a  security  level,  in  such  a  way 
that  both  security  (as  defined)  and  ‘-property  are  preserved. 

The  next  three  sections  of  this  report  document  three  refinements 
to  the  model  just  described.  The  first  refinement,  foun  in  Section  II, 
involves  the  inclusion  of  implicit,  hierarchical  control.  As  mentioned, 

9 

/ 

control  was  an  explicit  access  attribute  in  Volume  II.  Viewing 

r 

a  directory-hierarchy  machine  like  the  ^ultics  system  as  a  likely 

i 

* 

vehicle  for  the  implementation  of  this  model,  one  can  easily  see  that 

/ 

a  more  general  control  scheme  would  be  very  helpful.  This  refinement 
includes  an  implicit  control  scheme  by  distributing  control  throughout 
a  hierarchical ly-ordered  object  structure,  which  is  itself  patterned 
after  the  Multics  directory  hierarchy. 

The  second  refinement  is  included  in  Section  III.  The  topic  here 
is  a  concept  called  "ccrrent  classification.'  The  concept  is  included 
in  the  model  to  allow  a  vast  simplification  of  the  get-access  rules 
of  the  model:  a  laborious  check  of  every  object  currently  accessed 


C 


by  a  subject  can  be  replaced  by  a  single  comparison.  The  longer 
check  is  then  included  in  a  new  rule  whose  purpose  is  to  allow  a 
subject  to  change  its  current  classification;  it  is  axpected  that 
this  rule  will  be  invoked  much  less  frequently  than  the  get-access 
rules  themselves. 

Section  IV  contains  a  double  refinement  to  the  * - p rope * ty .  It  is 

refined  to  reflect  the  concept  of  current  classification  (of  Section  III) 

and  to  allow  for  trustworthy  subjects  who  are  exempt  from  *-property 

checks.  It  is  emphasized  that  a  subject  rna^,  oe  exempted  from  ‘-property 

compliance  only  if  it  is  demonstrated  that  thcysubject  will  not  engage 

in  the  type  of  security  compromise  that  ‘-property  is  designed  to 

prevent.  / 

/ 

Section  V  concerns  a  concept  called  ‘'compatibility."  Compatibility 

is  a  strategy  for  the  classification  of  a  control  hierarchy  which  is 

currently  required  by  the  ‘-property.  Section  VI  is  a  summary  of  the 

report.  For  the  reader's  convenience,  three  appendices  are  included. 

Appendix  A  is  a  concise  list  of  the  access  rules  in  a  standard  format. 

Appendix  B  contains  proofs  that  the  rules  preserve  security  and  ‘-property. 

/ 

Appendix  C  contains  a  notational  glossary:  every  notation,  in  this 
volume  or  in  the  two  earlier  ones,  is  listed  here  w^tn  a  brief 
explanation  of  its  meaning. 


/ 
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SECTION  II 


/ 

/  THE  ALTERATION  OT  CONTROL 

/ 

Introduction 

An  important  factor  in  a  flexible  computer  system  is  the 
ability  to  grant  and  rescind  access  privilege  to  users  of  the 
system.  Computer  systems  described  by  "A  Mathematical  Model"  exhibit 
limitations  on  the  alteration  of  access  privilege  that  are  tar  from 
perfectly  generai.  In  the  first  place,  the  control  attribute  is  explicit. 
Moreover,  it  cannot  be  extended  during  normal  operation:  a  subject 
has  the  control  access  attribute  with  respect  to  an  object  0^ 

(1 )  i  f  S.j  created  CL  ,  or 

(2)  if  the  control  officer  added  that  attribute  to  M..  . 
during  abnormal  operation. 

In  addition,  a  subject  S.  with  control  over  0-  can  extend  only  those 

'  J 

other  attributes  which  he  nimself  has.  That  is,  if  has  only  the 
read  and  control  access  attributes  relative  to  object  C-,  then  S. 

J  1 

cannot  extend  write  access  to  subject  S  . 

-  u 

While  modifying  or  lifting  restrictions  such  a:  these  would, 
substantially  affect  the  external  characteristics  of  an  implementation 
of  the  model,  the  control  of  access-privilege  alteration  would 
remain  both  centralized  and  explicit.  As  such,  the  model  could  not 
adequately  describe  a  system  such  as  Multics  where  this  control  is 
both  decentralized  and  implicit.  It  is  the  purpose  of  this  section  to 
make  the  model  more  easily  applicable  to  Multics  by  investigating 


diffuse,  implicit  control  over  the  ability  to  alter  access 
pri vi lege. 


Preliminary  Discussion 

The  type  of  access-privilege  control  we  wish  to  incorporate 
into  the  model  builds  on  the  organization  of  the  objects  themselves. 
Specifically,  we  will  deal  with  a  sot  0  oi  objects  which  is 
hierarcni  caliy  urgar.izeu  in  a  direcce-i  tree  structure  (Figure  1).  The 
hierarchical  arrangement  of  objects  will  be  dynamic,  so  that  a  means  oi 


expression  which  allows  us  to  denote  changes  oi  structure  easily  will 
be  desirable.  The  notion  of  a  function  will  be  used  to  formalize  the 
hierarchical  structure  of  the  data:  each:  object  0  will  have  as  image 
the  set  of  objects  (if  any)  directly  inferior  to  0.  Minor  chanqes  to 
the  current  hierarchy  function  will-  then  reflect  alterations  to  the 
object  structure  itself.  This  framewoYk  will  be  developed  in  the 
next  subsection. 

The  capability  to  alter  access  pfivi leges  will  he  expressed 


implicitly  within  the  frimework  of  ot/ject  hierarchy.  Specifically, 


write  access  to  object  C  which  is  JaTrectly  superior  to  object  CL 
will  imply  the  capability  to  alttj:'  j he  access  privilege  of  any 


subject  to  Oj  (See  Figure  1)  The^  tyce  of  control  thus  generated  is 

,  / 

diffuse  and  it  is  implicit.  In  oyaer  to  begin  the  investigation  of 


systems  with  this  type  of  control^,  we  must  start  by  formalizing  the 
object-structuring  function,  which  we  shall  call  a  hierarchy. 
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Hierarchies 


V 


We  begin  by  definino  a  set  H  of  functions  called  "hierarchies# 

Definition  2.1:  Let  H  c( Pi?)0  be  defined  by  H  e  H  if 

(1)  u-j  1  O2  implies  H (C j )  r>  H(02)  =  and 

(2)  there  does  not  exist  a  set  (0, ,  .  .  .  ,f>w) 
of  objects  such  that  0r+1  e  H(0r)  where 

1  <  r  <  w  and  0  . ,  -  0, . 

-pm  intPrprot*t1#on  fr  (~^pur°  2.)  is  ^  ic  in 

set  H (0)  provided  0  is  directly  superior  to  0.  (or  0.  is  directly 

J  J 

inferior  to  0).  In  Figure  2,  H(O^)  is  the  set  of  objects 

{0-j i  ,  0^1  while  H(O^)  =  4  since  0^  has  no  inferior  objects. 

Condition  (1)  requires  therefore,  that  no  object  be  directly 
inferior  to  two  different  objects.  Condition  (2)  forbids  the  existence 
of  a  ring  of  objects,  each  directly  superior  to  the  next.  In  terms 
of  graph  structure,  there  are  no  directed  circuits  and  the  object 
structure  is  a  tree.  Notice  that  a  hierarchy  is  a  one-level  record 
of  connection  in  the  object  structure:  more  remote  connections  are 
rarely  of  interest  in  the  developments  to  follow  and  are  therefore 
suppressed  in  the  model.  That  the  definition  of  H  does  indeed 
impose  a  directed  tree  structure  on  C  is  established  by  the  following 
proposition*. 

‘Propositions  2.2  and  2.3  are  graph-theoretical  results  a 
technical  nature  and  are  not  vital  to  an  understanding  of  the 
remainder  of  the  section. 
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'V 


Proposi  tion  2.2 :  For  H  e  ( Pt? ) ^  let  E(H)  =  {(0-1,02):  0-j  ,  O2  e  0 
and  02  e  H(O-j)}  and  set  G(H)  equal  to  the  graph  (0,  E(H)].  If 
H  e  H,  G(H)  is  the  disjoint  union  of  directed  trees  and  isolated 

points. 

Proof:  By  (1),  Indeg  0  <  1  for  all  0  e  C.  By  (2),  0  is 
acyclic.  Thus  every  nontrival  component  of  0  is  a  directed  tree 
and  the  proposition  is  proved. 

Every  H  e  H  yields  a  tree  structure  of  the  desired  type.  The 
converse  is  also  true. 

Proposition  2.3:  Let  G  =  (t>,  E)  be  the  disjoint  union  of 
trees  and  isolated  points.  For  every  0  e  0,  define 
H(0)  =  (0.:  (0,  0.)  c  E).  H  is  a  hierarchy  in  H  and 

J  J 

G(H)  S  G. 

Proof:  In  a  tree,  Indeg  v  <  1  for  all  vertices  v.  The  same 
is  true  for  isolated  vertices.  Thus,  (1)  holds.  Both  trees  and 
isolated  points  are  acyclic.  (2)  holds.  That  G(H)  =  G  is 
immediate  from  the  definition  of  H  and  G(H). 

While  our  definition  allows  there  to  be  more  than  one  tree, 
we  shall  consider  hierarchies  with  a  single  tree  to  be  the  most 
relevant.  Hence  we  shall  optionally  invoke  property  (3)  which 
guarantees  a  single  tree: 
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The  object  0R  will  be  called  the  root  object.  If  condition 
(3)  does  not  hold,  each  object  which  has  non-empty  image  under  H 
and  no  inverse  image  will  be  called  a  root  object  of  the  system. 

The  restriction  above  is  mentioned  only  in  passing  since  none  of 
the  results  depend  on  it. 

The  set  H  of  hierarchies  as  defined  is  somewhat  too  general 
for  our  use.  Therefore,  we  will  restrict  the  set  of  hierarchies  of 
interest  using  the  notion  of  the  active  set  of  objects.  A(m)  is 
the  set  of  object-indices  which  identify  the  objects  with  a  nonempty 
column  in  the  matrix  M  e  M.  Specifically,  A(M)  =  { j :  there  is 

an  S.  e  S  such  that  M . ■  1  $}.  In  a  given  state,  we  want  the 

1  '  J 

active  objects  to  be  precisely  the  nonisolated  vertices  of  the  graph. 
The  following  definition  identifies  the  hierarchies  that  satisfy 
this  condition. 

Definition  2.4:  For  M  e  M,  set 

Hm  =  {H  c  H:  H*1  ($)  -uH(0)  =  {0.:  j  i  A(M) } } . 

The  definition  of  requires  H(0j }  =  $  for  every 
j  t  A(M) .  Thus  the  active  objects  are  precisely  those  that  are 
in  the  tree  portion  of  the  structure.  In  a  Hultics  setting,  the 
active  objects  would  the  segments  in  the  directory  structure  and 
the  terminal  oojects  (that  is,  objects  with  no  inferior  objects) 
would  represent  the  data  segments  at  the  "bottom"  of  the  directory 


structure. 
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The  notion  of  a  hierarchy  H  is  now  available  for  use  in 
the  model  of  secure  computer  systems.  In  the  next  subsection,  we 
shall  make  minor  modifications  to  the  model  to  incorporate  the 
current  hierarchy. 

First  Refinement  of  the  Model 

We  shall  revise  the  definition  of  a  state  to  be  a  four-tuple 

(b,  H,  f,  H]  t  T  (S  x  C1  *  A)  x  M  x  F  x  H  -  l'  such  that  H  c 

Tne  access  attributes  set  A  is  now  the  set  {r,  e^  w,  a) 

with  the  same  connotations  as  before. 

Control  will  now  be  expressed  implicitly.  If  object  0^  is 

directly  superior  to  Oj  t  0R,  then  the  entries  M.^,  1  <  i  <  n,  are 

considered  to  reside  in  the  object  Ch  directly  superior  to  0.. 

In  addition,  a  list  of  the  objects  directly  inferior  to  0^,  namely 

H (0^ ) ,  is  also  recorded  in  0^.  Thus  deletions  or  additions  to 

access  privileges  to  0-  can  be  effected  by  any  subject  having  write 

J 

access  to  0^. 

To  simplify  the  notation  somewhat,  we  shall  partition  the 

set  of  requests  into  five  disjoint  sets: 

r^1)  =  requests  for  get-  and  release-access; 

(2) 

R  s  requests  for  give-  and  rescind-access; 

(31 

R'  '  *  requests  for  creation  of  objects; 

(4) 

R  ’  ~  requests  for  the  destruction  of  objects;  and 

r(5)  =  requests  for  changing  classification  and  category  set. 
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The  intended  use  of  the  requests  in  R^,  ,  and  is  obvious. 

Requests  in  R^  represent  initial  requests  for  access  to  an  object 

or  requests  to  have  an  object  removed  from  a  subject's  current-access 

(21 

list.  Requests  in  Pr  1  have  analogous  interpretations.  A  give-access 
request  represents  an  extending  of  access  privilege  to  the  named  subject 
a  rescind-access  request  corresponds  to  revoking  a  subject’s  privilege 
to  access  a  given  object. 

Within  the  model,  the  sets  of  requests  are  formally  defined  as 
follows : 


rO) 

=  RA  > 

<  5 

X  0 

x  A, 

RA  =  {g, 

r> ; 

r(2) 

=  S  « 

RA 

X  S 

x  0 

x  A ; 

r(3) 

=  s  * 

0  x 

c  > 

<  PK 

x  X,  X  = 

{e_,  <*>};  and 

r<4> 

=  S  * 

0 

r(5) 

=  S  X 

C  X 

PK 

These  modifications  to  the  model  are  clearly  of  a  minor  nature 
and  they  effectively  include  all  relevant  information  about  the 
current  hierarchy  within  the  current  state. 

Conclusion 

In  this  section,  a  structure  was  Imposed  on  the  objects  to 
facilitate  the  introduction  of  an  implicit  control  attribute  like 
that  found  in  Multics.  This  change  affects  only  those  rules  of 
Volume  III  which  depend  on  the  control  attribute.  The  only  such  rules 


involve  the  giving/rescinding  of  access  or  the  creation/deletion  of 
objects.  New  rules  for  these  requests  are  included  in  Appendix  A 
as  rules  p-^i  p i 3 -  p^,  and  p-|&.  It  is  proved  in  Appendix  B  that 
the  e  new  rules  are  security-preserving  and  "-property-preserving, 
undo  the  extended  meaning  of  the  "-property  introduced  in  Section  IV. 

The  set  of  rules  uj ^ ^ ^  -  (p^,  p^,  ^3*  ^4*  ^5*  ^12*  ^13*  ^14*  ^15^ 

defines  the  system  i(R,  D,  W(u.^)t  zQ).  By  Theorems  3.2  and  3.3  of 
Volume  II,  the  system  is  secure  and  satisfies  "-property  provided  the 
initial  state  zQ  does. 


f  ■  frosts 


SECTION  II! 

THE  INCLUSION  OF  CURRENT  SECURITY  LEVEL 

Introduct i on 

The  concept  of  "current"  security  classification  is  directly 
implied  by  the  ‘-property.  Moreover,  as  was  discovered  in  the  initial 
attempt  to  use  the  secure  computer  model  in  the  design  of  a  security 
kernel  not  only  is  the  use  of  the  current  security  levelt  natural 
but  also  it  can  lead  to  dramatic  simplifications  of  the  ‘-property 
checks  of  rules  ,  p2>  and  p^  of  "A  Mathematical  Model."  This 

section  will  investigate  both  the  justification  for  the  current 
security  level  and  the  implications  of  its  inclusion  in  the  model. 

Background 

We  are  considering  the  system  r(R,D,W(w) ,zQ)  where  zQ  is 
secure  and  satisfies  ‘-property.  We  begin  by  defining  two  pairs  of 
partial  functions: 

gj(S,v)  -  max  {f2(0):  (S,0,w)  e  b} ; 
g2(S,v)  =  u^fa(0):  (s»0»w)  e  b}; 

h-j(S,v)  =  max  { f ^ ( 0 ) :  (S,0,£)  c  b};  and 
h2(S,v)  *  U{ f^(0) :  (S.O.r)  c  b}. 

The  domains  of  these  functions  are  pairs  (S,v)  such  that  corresponding 
bracketed  set  is  not  empty.  The  Intuitive  Interpretations  of  and 
g2  are  as  follows: 

g^($,v)  is  the  highest  classification  of  any  object  0 
— 

tThat  is,  the  classification-and-category-set.  ' 
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currently  accessed  by  S  in  the  write  mode  in  state  v; 

q2(S , v)  is  the  smallest  category  set  which  contains  the 

category  set  of  each  object  0  currently  accessed  by 
S  in  the  write  mode  in  state  v. 
h,  and  h2  are  interpreted  similarly  with  "read"  in  place  of 
"write" . 

The  order  imposed  on  the  objects  currently  accessed  by  S 
is  established  by  Theorem  3.1  below. 

Theorem  3.1:  If  v  satisfies  "-property,  then  the  following 
are  true: 

(1)  (S .0,w)  e  b  =>  g^S.v)  =  f2(0)  and  g2(S,v)  =  f4(0); 

(2)  (S.Q.aJ  c  b  and  g^S.v)  defined  => 

9 1 ( S , v )  <  f2(0)  and  g2(S,v)  £f4(0); 

(3)  (S.O.r)  c  b  =>  h] (S ,v)  >  f2(0)  and  h2(S,v)  2f4(0) ;  and 

(4)  (S,v)  and  h-,(S,v)  defined  => 

9j(S,v)  >  hj(S,v)  and  g2(S  ,v) ?h2(S,v) . 

Proof:  A  direct  application  of  the  "-property. 

The  four  conclusions  above  can  be  paraphrased  as  follows: 

(1)  If  S  has  current  write  access  to  two  different 
objects  01  and  02  in  b,  then  01  and  02  have  the 
same  classification  and  category  set. 

(2)  If  S  has  current  append  access  to  0-j  and  current  write 
access  to  0?  in  b,  then  l^'s  security  level 
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dominates  0-,'s  security  level. 

£ 

(3)  Conclusion  (3)  is  a  restatement  of  the  definitions  of 
h-j  and  h^. 

(4)  If  S  has  current  wri te  access  to  0^  and  current  read 
access  to  in  b,  then  0^'s  security  level 
dominates  the  security  level  of  CC,. 

The  first  three  of  these  conclusions  tend  to  make  the  prospect 
of  checking  for  the  preservation  of  ^-property  more  manageable,  since 
the  foui  values  of  g^ ,  g^,  hj ,  and  h^  group  the  classifications  and 
categories  of  currently-accessed  objects  in  a  natural  manner.  (See 
Figure  3.)  The  fourth  conclusion  reduces  the  number  of  important 
values  to  two.  The  full  import  of  this  argument  is  revealed  in 


a 


w 


r 


Objects  ir.  this 
'  range  can  only 
be  appended, 

v.  |  This  defines  the  current 
r  |  level  of  write  access. 

Objects  In  this 

(  range  are 

read  only. 


* 


increasing 


security 


level 


Figure  3.  The  Natural  Ordering  of  Currently-Accessed  Objects 
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Corollary  3,2. 


Corollary  3.2:  When  g-j  (S , v)  is  defined  and  v  satisfies  the 
♦-property,  then 

(1)  (S,0,a)  c  b  =>  f2(0)  i  g^S.v)  and  f4(0)  2g,(S,v); 

(i  1 )  (S,0,w)  e  b  =>  f2(0)  -  g^S.v)  and  f4(0)  *  92(s*v)i  an<J 
( i i  1 )  (S,0,r)  c  b  =>  f2(0)  <  g^S.v)  and  f^(0)  Q  g2(S,v). 

Acrding  to  Corollary  3.2,  in  a  state  which  satisfies  the 
♦-property,  there  is  for  each  subject  S  which  has  current  write 
access  to  some  object  a  unique  security  level  which  equals  the 
security  level  of  every  object  currently  accessed  by  S  in  the 
write  mode.  This  security  level  simultaneously  dominates  those  of 
objects  being  accessed  in  read  mode  and  is  dominated  by  the  security 


Figure  4.  Information  Flow  and  Security  Level 
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V 


level  of  every  object  being  accessed  in  the  append  mode.  (See  figure  4) 
The  possibility  of  great  simplification  comes  from  the  global  importance 
of  this  security  level  for  a  given  subject  S  in  state  v. 

The  partial  converse  of  Corollary  3.2  contained  in  Theorem  3.3 
provides  precisely  the  needed  tool  for  simplifying  the  rules. 

Theorem  3.3:  Let  (fg,  fg)  c  C5  >  (PK)S.  Let 
H  e  and  let  v  =  (b,M,f,H)  be  a  state  such  that  the  implications 

(1),  (2),  and  (3)  below  hold: 

(1)  (S.O.a)  c  b  =>  f2(0)  >  f5(S)  and  f4(0)  ?ffi(S); 

(2)  (5,0, w)  £  b  =  >  f2(0)  -  fg($)  and  f4(0)  -  fg(S);  and 

(3)  (S.O.r)  c  b  =>  f2(0)  <  f 5 ( S )  and  f4(0)  Cffi(S). 

Then  v  satisfies  "-property. 

Proof:  Let  S  e  S,  0-j  c  b(S:w,aj  and  0^  c  b(S:r,w).  It 
must  be  shown  that  f2(0-| )  >  f2(02)  and  ( 0^ )  2f^(02)  in  order 
to  establish  that  v  satisfies  *-property.  By  (1)  and  (2), 
f2(°l )  >  f5(S)  and  f4(0, )  2f6(S).  By  (2)  and  (3), 
f5(S)  >  "^2 (^2 )  and  -f4(°2)’  The  necessary  relations 

hold  by  transitivity  and  v  satisfies  *-property. 

Theorem  3.3  establishes  that  if  implications  (1),  (2),  and 
(3)  were  the  definition  of  ^-property,  then  checks  for  the 
preservation  of  ^-property  could  be  reauced  in  most  cases  to  a 
simple  comparison.  The  Importance  of  this  reduction  in  an 
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implementation  is  great  enough  that  *-property  will  be  redefined 
in  Section  IV  to  take  advantage  of  the  simpler  checks.  In  the 
next  subsection,  the  functions  fg  and  fg  of  Theorem  3.3  will  be 
added  to  tho  model  for  later  use. 

Second  Refinement  of  the  Model 

We  shall  revise  the  definition  of  F  as  a  subset  of 
C?  x  CC’  x  IPK)S  x  IPK)°  x  CS  x  (FX1S  such  that 
f  =  (f, ,  f0,  f^,  fg,  fg)  e  F  if  and  only  if  for  all  S  c  5, 

f ! ( S )  >  fs(S) 
and 

f3(S)2f#(S). 

Call  fc(S)  the  current  classification  of  S  (relative  to  f)  and 

sJ 

fg(S)  the  current  category-set  of  S  (relative  to  f).  The  current 
classification  and  current  category-set  will  be  used  in  the  next 
section  to  redefine  the  *-property  to  take  advantage  of  the 
simplification  implicit  In  Theorem  3.3.  In  the  remainder  of  this 
subsection,  we  shall  discuss  the  simplifications  which  are  the 
stimuli  for  the  changes  to  come. 

Define  V3  3  to  be  the  subset  of  V  consisting  of  all 
v  c  (b,M,f,H)  satisfying  the  hypotheses  of  Theorem  3.3.  That  is, 
v  =  (b,M,f,H)  e  V3  3  provided 

(1)  (S,0,a)  e  b  =>  f2(0)  >  f5(S)  and  f4(0)  2  ffi(S); 

(2)  (S,0,w)  £  b  =>  f2(0)  -  f5(S)  and  f4(0)  =  fg(S);  and 
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(3)  (S.O.r)  c  b  ='•  f?(0)  •  f5(S)  and  f4(0)  Cfg(S}. 

Every  v  t  3  satisfies  ‘-property  by  Theorem  3.3.  On  tbe  other 
hand ,  if  v  satisfies  ‘-property  and  b(S:w)  *  i  for  S  L 
then  v  c  ^  by  Corollary  3.2.  Hence,  tt.e  conditions  for  v  to 
be  member  of  ^  are  only  slightly  stronger  than  those  tor  v 
to  satisfy  ‘-property.  In  particular,  v  =  (b,M,f,H)  can  satisfy 
‘-property  and  fail  to  be  in  the  set  ^  (figure  b)  only  if  there 
is  an  Sc  .s'  with  b  (S:w)  =  $  and  either 

(1)  there  is  an  r>1  b(S;a)  with  f (0-j )  *  ic(>)  r,-  t  _  ( 0  -j )  L  Ms), 
or 

(2)  there  is  an  0,  c  b(S:_r)  with  f^Oj)  l  fg(S)  or  f^U-,/  i  .g(S), 
In  either  case,  nowever,  it  "-property  holds,  then  too  cc^ri ly 

level  of  any  object  in  b(S:aj  dominates  the  security  level  of  any 

Object  in  b(S:r)  and  the  exclusion  of  v  from  V,  ^  results  from 

an  incongruity  between  the  explicit  values  f ^ ( S )  and  fg($)  and 

their  implicit  bounds,  inf{f9(0):  0  c  b(S:a)J  and 

sup{f2(0):  0  c  b(S:r)}  for  fg  and  n{f4<0):  0  e  b(S:a_)l 

andU{f4(0):  0  c  b(S:r)}  for  fg.  (These  implicit  bounds  are  represented 

by  the  lines  below  the  a  bracket  and  above  the  r  bracket  in  Figure  5.) 


To  justify  the  elimination  of  this  incongruity  in  Section  IV, 

let  us  derive  an  alternative  condition  for  the  ‘-property-preserving 

condition  U  =  <P  of  rule  1  under  the  assumptions  that  v  t  V,  , 
p  I  j.  J 

and  that  S 4 ’ s  security  level  is  the  inflmum  of  the  security  levels 
of  the  objects  in  b^iw.aj.  In  that  situation,  the  following 
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conditions  are  equivalent: 

U  =  {0:  0  c  b(S.:w,a)  and  [f9(0,)  >  f9(0)  or 

P]  i -  j  c 

f4(0j)  £  f4(0)]}  -  * 

<=>  [f2(0j)  <  f2(0)  and  f4(0d )  Cf4(0)] 

for  all  0  such  that  [(S^.O.w)  e  b  or  (S^.O.a.)  t  bj 
<=>  f2(Oj)  <  f5(Si)  and  f4(0j)£.f6(S1). 

Clearly,  then,  the  substitution  of  " f0 (0 . }  <  fc(S.)  and 

C  J  s  O  1 

f.(0.)  cfc(S. )"  for  "U  =  4"  in  rule  p,  guarantees  both  the 
4  0  b  1  0]  ' 

fact  that  p.j  remains  securi ty-preserving  and  the  fact  that  the 
proposition  below  is  true: 

if  v  e  V3  3  and  p,(Rk,v)  =  (D^.v*),  then  v*  c  V3  v 
In  fact,  the  same  guarantee  can  be  advanced  for  each  of  the 
substitutions  listed  below: 

[Upi  *  *3  <*>  [V<V  *  f5(-V  *nd  V°j)Sf6(S1)3s 

[Up(<  *  4>]  <=>  Cf2^°j )  l  fg(Si )  and  f4(0^ )  2fg(Si )];  and 

[Up^  =  <*]  <=>  lf2(C.)  a  f5(S.)  and  f4(0j)  -  f6(S-)]. 

It  now  becomes  Imperative  that  a  subject  be  able  to  change 
his  fg  and  values.  This  Is  accomplished  in  the  model  by 
incorporating  rule  p^  found  In  Appendix  A.  The  checks  made  by 
before  granting  a  change  of  current  security  level  are 
(1)  that  the  implications  required  by  Theorem  3.3  vis-a-vis 
the  objects  currently  accessed  are  satisified,  and 
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(2)  that  the  relations  f^S.)  >  f^S^)  and  f3($.j)  Df^{S^) 
hold  true. 

Concl usion 

The  rules  p^,  P2«  and  p^  can  be  greatly  simplified  by  two 
simple  revisions.  The  first  is  a  revision  of  *-property  suggested 
by  Theorem  3.3;  this  revision  is  found  in  Section  IV.  The  second 
revision  is  the  adoption  of  the  concepts  of  current  classification 
and  current  category  set:  these  concepts  are  di recti v  implied  by  the 
♦-property  itself.  Little  generality  is  lost  in  the  rules  listed 
in  using  the  current  security  level  and  the  new  definition  0^ 
♦-property,  since  the  *-property  guarantees  the  near-equivalence 
of  the  two  sets  of  conditions  listed  in  the  previous  subsection. 
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SECTION  IV 


'V 


REVISING  THE  ‘-PROPERTY 

Introduction 

The  ‘-property  was  introduced  in  "A  Mathematical  Model"  to 
allow  the  prevention  of  potential  compromise  in  secure  computer 
systems.  In  this  section,  the  ‘-property  will  be  revised  in  two 
ways.  The  first  revision  was  motivated  in  Section  III  and  involves 
a  new  set  of  conditions  for  the  definition  of  ‘-property.  The 
second  revision  alters  the  set  of  subjects  which  are  controlled  by 
the  ‘-property;  the  motivation  for  the  second  revision  is  contained  in 
the  next  subsection. 

The  Background  of  the  ‘-Property 

The  original  motivation  for  the  ‘-property  was  the  potential 
for  security  compromise  caused  by  simultaneous  access  of  two  or  more 
objects  with  different  security  levels  by  a  single  subject.  Tne 
argument  for  some  sort  of  potential -compromise  prevention  ran  as 
follows: 

(1)  a  subject  S  with  simultaneous  write  or  append  access  to 

object  01  and  read  or  write  access  to  object  with 

security  level  greater  than  that  of  0^  might  put  0^ 
Information  into  object  0^; 

(2)  if  S  should  do  so,  the  actual  security  level  of  the  contents 
of  01  would  not  agree  with  the  record  of  0^'s  security 
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level  in  the  system  data  base; 

(3)  in  this  case,  the  system  has  lost  the  ability  to  control 
the  situation  accurately; 

(4)  it  is  not  desirable  for  the  system  to  lose  control  of  the 
situation;  hence, 

(5)  the  system  must  not  allow  the  type  of  simultaneous  access 
described  in  (1)  above. 

The  argument  is  almost  syllogistic  in  its  simplicity.  The 
construction  and  use  of  the  * -property,  however,  overlooked  a 
major  possibility  Implicit  in  statement  (1);  there  may  be  subjects 
which  will  never  mix  information  of  different  security  levels  as  was 
described.  The  *-property  was  used  in  "A  Mathematical  Model"  as  if 
no  subject  could  be  trusted  not  to  mix  classified  information.  In 
this  section,  the  *-property  will  be  revised  by  removing  that 
assumption. 

The  set  S  Is  the  set  of  all  subjects.  Let  S'  represent 
the  set  of  all  subjects  that  are  untrustworthy  and  may  mix  Information 
as  described.  A  state  v  *  (b,M,f,H)  will  be  said  to  satisfy  the 
w-property  relative  to  S'  provided  that  for  every  S  e  S' the  *-property 
conditions  of  Theorem  3.3  are  satisfied.  With  this  definition,  the 
the  assumption  that  no  subject  can  be  trusted  is  removed  and  the  Theorem 
3.3  condition  Is  substituted  for  the  original  *  pro,  ;r+.y  condition. 

As  shall  be  seen  later,  this  modification  Is  easily  integrated  Into 
the  model.  First,  however,  we  shall  formally  alter  the  model  in  the 
way  described. 


29 


Third  Refinement  of  the  Model 

Let  S'  be  any  subset  of  6.  A  state  v  =  (b,M,f,H)  with 

H  e  ^  satisfies  the  *-property  relative  to  S'  provided 

0  e  b(S:a)  =>  fgiO)  >  fg(S)  and  V0}  2  f6{S) ; 

S  e  S'  «>  0  e  b(S:w)  =>  f^O)  =  f5(S)  and  f4(0)  =  fg(S) ;  and 

0  e  b(S:r)  ->  f2(0)  t  fg(S)  and  f4(0)  C  fg(S). 

Now,  v  satisfies  the  "-property  in  the  sense  of  "A  Mathematical 
Model'1  provided  v  satisfies  the  '"-property  relative  to  S.  Thus 
the  new  definition  of  "-property  includes  the  old  one  but  is  some¬ 
what  more  general . 

A  rule  p  :  R*V>D*V  preserves  the  *-property  relative 
to  S'  If  whenever  p(Rk>v)  «  (D^.v*!  and  v  satisfies  *-property 
relative  to  S',  then  v*  satisfies  "-property  relative  to  S'. 

Note  that  a  proof  that  a  rule  p  preserves  "-property  relative 

to  S'  can  be  generated  from  a  proof  that  p  preserves  "-property 

by  adding  the  conditions  "Si  e  S'  "  to  each  argument  involving 

$j.  However,  since  the  Implications  of  Theorem  3.3  have  been 

substituted  for  the  original  conditions  in  "A  Mathematical  Model," 

new  proofs  are  required  for  the  statements  that  the  are  "-property - 

preserving.  These  proofs  are  Included  in  Appendix  B. 

Since  the  change  from  "-property  to  "-property  relative  to  S' 
is  nearly  trivial,  we  shall  simplify  discussion  by  using  the  phrase 
""-property",  keeping  in  mind  that  a  fixed  but  arbitrary  set  S'  of 


subjects  is  involved. 
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Conclusion 


The  ‘-property  can  be  revised  as  indicated  with  no  noticeable 
perturbation  in  the  model .  Moreover,  with  these  alterations,  the  1 

model  can  allow  a  vast  simplification  of  the  ‘-property  checks  as  I 

well  as  free  a  design  as  much  as  possible  from  excessive  preventive 
measures.  With  this  revision  of  the  ‘-property  then,  the  model 

1.  orevents  untrusted  subjects  from  degrading  the  system  ; 

i 

bv  mistake  (an  unexpected  side-effect  of  a  program  or  * 

a  bug) ;  and 

2.  allows  trusted  subjects  to  operate  without  the  extra 
ercumbrance  of  the  ‘-property. 


V5 


31 


SECTION  V 


CLASSIFICATION  OF  A  CONTROL  HIERARCHY 


Introduction 

The  refinements  to  the  model  contained  in  Section  IT  mak* 
it  clear  that  objects  which  do  not  represent  data  are  present  in 
the  model.  There  are,  in  fact,  objects  which  represent  entries  in 
the  access  matrix,  just  as  is  the  case  for  directory  segments  in 
the  current  Multics  system.  This  fact  causes  certain  problems  in 
the  design  of  a  secure  computer  system.  In  this  section,  the 
desirability  of  organizing  the  objects  in  a  coherent  manner  in 
order  to  ease  these  design  problems  is  discussed.  It  is  further 
shown  that  the  proposed  organization  is  eminently  feasible. 

Compatibility 

The  security  levels  of  objects  provides  an  ordering  ^ 
on  objects: 

°l^f  02  <=>  Cf2(01)  <  f2(Oz)  and  f4(01 )  9  f4(02)]. 

Since  a  hierarchy  also  imposes  an  ordering  on  objects,  the 
possibility  of  some  sort  ov  correspondence  oetween  the  two  orderings 
presents  itself  as  an  Interesting  possibil ity.t  We  shall  call  a 
state  v  "compatible"  provided  the  structure  of  ^ ^  is  similar 
to  the  tree-structure  Implied  by  an  element  of  HM.  More  precisely, 
we  shall  call  a  state  v  *  (b,M,feH)  compatible  If 

for  all  0  C  0  [0,  c  H(0)  =>  f2(0)  <  f^)  &  f4(0)  9 f^  )]. 
tThis  particular  object-ordering  was  first  mentioned  in  (5). 


' V 


That  Is,  v  is  compatible  provided  security  level  is  monotonically 
non-decreasing  along  any  path  away  from  the  root.  The  next 
subsection  will  discuss  the  justification  for  requiring  compatibility 
in  a  secure  computer  system. 

Extrinsic  Justification  for  Adopting  Compatibility 

The  developmental  work  of  the  secure  computer  model  has  heretofore 
been  primarily  directed  by  current  manual  security  procedures  for  classified 
documents.  In  the  large,  analogy  was  qirite  useful  in  this  task: 
data  files  in  an  information  system  correspond  directly  to  documents 
In  a  file-drawer  system.  Unfortunately,  the  analogy  is  not  perfect. 

For  example,  the  Hultics  analogue  of  the  "organization"  of  a  file 
drawer  is  the  directory  structure,  and  the  directories  themselves  are 
segments,  just  as  data-objects  themselves  are  segmerts.  Hence,  in 
considering  a  practical  secure  computer  system  in  a  Multics-like 
environment,  one  is  forced  to  consider  issues  beyond  the  purview  of 
current  security  procedures.  The  remainder  of  this  subsection  will 
deal  with  three  of  those  issues,  leading  to  a  justification  for  the 
adoption  of  compatibility. 

The  first  Issue  Is  whether  directories  should  be  considered 
objects.  From  one  point  of  view,  directories  are  basically  an  Index 
Into  the  data  stored  in  data  segments.  With  this  perspective,  one 
would  consider  that  the  directories  support  the  model  by  filling  the 
role  of  a  unique  index  to  the  set  of  objects.  However,  as  mentioned 
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above,  Multics  directories  are  segments  and  as  such  are  subject  to 
alteration.  Hence,  the  index  which  the  directories  represent  is  in 
no  sense  inimitable.  Moreover,  a  Multics  directory  contains  access 
information  to  all  of  its  Inferior  directories  and/or  data  segments. 
Hence,  some  sort  of  control  over  access  to  directories  must  be 
enforced.  Since  security- related  information  is  involved,  protection 
for  directories  must  be  absolutely  certain.  The  protection  of  objects 
in  the  model  is  thus  of  precisely  the  nature  required  for  the 
protection  of  directories.  Since  in  Multics  both  directories  and 
files  are  segments,  the  inclusion  of  directories  in  the  set  of  objects 
allows  the  protection  of  segments  to  be  accomplished  in  a  uniform 
manner  with  the  secure  computer  model  acting  as  a  specific  guide  in 
the  undertaking. 

The  second  issue  revolves  around  the  classification  of  directories. 
It  would  simplify  matters  if  nothing  more  than  the  analogues  of 
documents  (namely  data  segments)  were  required  to  be  classified.  This 
approach,  however,  is  infeasible  because  directories  are  also  segments, 
and  they  contain  important  information  about  inferior  objects.  The 
most  obvious  example  is  a  file  0  whose  very  name  is  classified  secret. 
The  name  of  0  will  be  part  of  0,  so  that  if  D  is  unclassified, 
the  ootential  for  compromise  exists.  Clearly,  then,  provision  must  be 
made  to  classify  D  appropriately  to  bar  unauthorized  users  from 
reading  the  information  about  0  which  is  in  D.  There  are  also  many 
less  obvious  examples  which  can  make  a  successful  implementation 
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quite  difficult  even  with  classified  di rectories. + 
then,  provision  must  be  made  for  the  classification  of  directories. 

Suppose  now  that  we  are  resolved  both  to  include  directories 
as  objects  and  to  allow  classified  directories  for  the  reason  given  above. 
The  final  question  Is  whether  there  is  any  reason  to  Impose 
compatibility,  thus  in  some  sense  forcing  the  directory  structure 
to  match  the  security  ordering"^. 

There  is  indeed  a  reason  to  impose  compatibility.  The  issue 
here  is  illustrated  by  the  situation  pictured  in  Figure  6,  a 
situation  rendered  impossible  by  the  imposition  of  compatibility. 

Currently  access  to  0£  in  the  Multics  system  is  "through" 


Figure  6.  A  Noncompatible  Situation 


+A  full  discussion  of  the  Implementation  problems  actually  encountered 
in  the  design  of  a  closed  secure  computer  system  can  be  found  in 
Section  3.7  of  the  design  analysis  report  for  the  Air  Force  Data 
Services  Center  (Reference  6). 
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0.| .  More  specifically,  the  name  of  O2  is  the  path  in  the 
hierarchy  from  the  root  object  0^  to  0^.  Hence,  a  request  for 
access  to  0^  by  an  unclassified  subject  admits  of  two  resolutions: 
denial  of  the  access  or  provision  of  control  mechanisms  to  protect  0^ 
while  0,  is  being  accessed.  It  is  now  considered  unlikely  that 
appropriate  control  mechanisms  can  be  provided  within  the  constraints 
of  the  security  kernel  concept.  ^  Thus,  it.  will  be  necessary  to 
deny  access  to  by  unclassified  subjects.  Hence,  no  subject 
classified  below  secret  could  ever  access  objects  below  0^  in  the 
hierarchy,  rendering  classifications  like  that  pictured  in  Figure  6 
fatuous.  Thus,  within  the  constraints  of  practicality  compatibility 
is  a  necessity.  Ir,  the  next  subsection,  it  will  be  shown  chat  the 
preservation  of  compatibility  is  not  only  feasible  but  also  relatively 
simple. 

The  Preservation  of  Compatibility 

Clearly  the  preservation  of  compatibility  could  be  threatened 
only  by  alteration  of  f  or  H.  A  quick  review  of  the  rules  in 

shows  that  only  rules  p14  (create-object)  and  p^5  (delete- 
object)  can  ever  affect  either  f  or  H.  Moreover,  does  not 
alter  f  and  may  only  disassemble  part  of  the  hierarchy  tree.  Thus 
the  burden  of  preserving  compatibility  will  fall  on  a  replacement  for 
ru!e  o14. 
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Rule  p-|4  itself  will  preserve  compatibility  if  and  only  if  the 
two  following  conditions  are  satisfied: 

(1 )  f j )  $  cu  and 

(2)  f4(0j)CQ. 

Hence,  adding  these  two  conditions  as  restrictions  for  p^4  will 
yield  a  rule  which  preserves  compatibility. 


Proposition  5.1:  The  rule  p16  k  slow  preserves  compatibility; 
that  is,  if  P]6'Rk,v^  =  where  v  is  compatible,  then  v* 

is  compatible.  Moreover,  o^c  preserves  security.* 
r  (?,  v)  i'  Rk  t  R{3); 

if  Rj.  =  ( 5^  ,Cj  ,C^ ,Q , $ )  c  R  ^  and 
[0S(J)  e  b(S.:w,a.)]  and 

f 2 (°j )  =  Cu  and  f4(0j)  -Q; 

/>16^Rk,V^  =  \  9  ,T(j,M)’  ai(0j*f*Cu*Q)»pi(°j,H)) 

If  Rk  =  (Si.Oj.Cu.Q.e)  e  R{3)  and 
[°s(j)  c  b(S.:w,a)]  and 
f 2 ( 0j )  <  Cu  and  ^(O^CQ; 

^  (no,v)  otherwise. 


+The  function  In  the  definition  of  p^6  denotes  the  classification 
obtained  from  f  by  setting  the  new  object's  security  level  equal  to 
(Cy,Q) .  fd-j  is  the  hierarchy  obtained  from  H  by  adding  a  new  object 
directly  below  Oj.  Both  a1  and  8^  are  defined  in  Appendix  C. 
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Proof :  Write  v  =  (b,M,f,H)  and  v*  =  (b*,M*,f*,H*).  Note 

that  f  and  f*  differ  only  on  0  / •  Pick  0  i  0..  Then 

H*(0)  -  H(0).  Hence  since  v  is  compatible,  f^(0)  is  dominated  by 

f^(Oj)  for  01  c  H(0)  and  t  =  2,  4.  Consider  0^,  H*(0j)  equals 

either  H(0.)  or  H(0.)u{0  , .  H>),  and  the  check  for  compatibility 

( 3 ) 

reduces  to  a  check  vis-a-vis  0.  and  0  ,■  where  R.  c  Rv  , 

J  'Ur  /  K 

°s(j)  e  b(si:w.a);  f2(°j)  <  Cu;  and  f4(n.)  £  Q. 

But  ,2<0.(j,H))  *  Cu  '  Q  50  that 

v*  is  compatible  and  p-g  is  compatibility-preserving  as  claimed. 

Since  is  a  refine,  ent  or  p . ^  which  is  security¬ 

preserving,  p-^  is  itself  security-preserving. 

If  one  desires  a  secure  computer  system  which  exhibits  only 
compat^-'e  states  satisfying  the  •-property,  one  can  use  the 
set  of  rules 

“iii  ‘  {pl*  °2  *  p3’  p4*  p5 ’  p12’  °13’  p15’  p16*  °17} 
together  with  a  compatible,  secure  initial  state  Zq  which 

satisfies  the  "-property. 

Conclusion 

Compatibility  is  currently  required  by  practical  considerations 
In  addition,  it  can  be  provided  by  adding  one  further  condition 
to  the  create-object  rule.  Thus,  compatibility  is  both  a 
desirable  and  a  feasible  refinement  to  the  secure  computer  model. 
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SECTION  Vi 


SUMMARY 

In  this  report,  the  secure  computer  model  is  extended  in 
sevei al  ways. 

The  first  extension  allows  a  hierarchical  order1  .tg  of  the 
objects  and  for  implicit  control  over  the  objects.  This  revision 
clearly  ncorporates  certain  control  structures  into  the  set  of 
objects.  With  appropriate  interpretation  of  the  access  attributes 
as  applied  to  control  objects  in  the  hierarchy,  the  model  can  now 
be  applied  to  a  Multi cs-l'lke  information  system  in  a  very  direct  way. 

The  second  extension  is  the  introduction  of  current  classification 
and  current  category  set  (f^  and  f^,  respectively).  This 
revision  made  possible  a  vast  simplification  of  the  *-property  check 
in  the  various  rules. 

The  third  extension  a’ters  the  ^-property  to  allow  for  trust¬ 
worthy  subjects.  This  revision  makes  the  development  of  the  "-property 
sounder  and  it  gives  the  model  more  flexibility. 

Finally,  a  number  of  practical  considerations  are  discussed, 
leading  to  the  conclusion  that  enforcing  compatibility,  a  discipline 
of  non-Jecreasing  security  level  on  the  object  hierarchy,  is  required 
by  t.hs  "-property  in  a  Multics-like  environment.  The  inclusion  of 
this  discipline  is  achieved  by  the  replacement  of  one  rule  in 
by  another  very  similar  one,  resulting  in  a  secure  computer  system 
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which  preserves  both  the  extended  ^-property  and  compatibility. 


DEE: mg 
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APPENDIX  A 


THE  RULES 

In  this  appendix,  the  rules  of  this  volume  are  listed  in 
numerical  order.  The  set  w-.-  of  Section  II  comprises  rules  1,  2, 

3,  4,  5,  12,  13,  14,  15,  and  17.  The  set  of  Section  V,  which 

guarantees  the  preservation  of  compatibility,  consists  of  the  rules 
1,  2,  3,  4,  5,  12,  13,  15,  16,  and  17.  Rules  1  -  5  are  rules  retained 
from  "A  Mathematical  Model."  Rules  12-17  are  new  rules.  The  proof 
of  rule  16  appears  in  Section  V  as  Proposition  5.1  (page  33);  the 
remaining  proofs  are  in  Appendix  B. 

There  is  a  standard  format  for  the  presentation  of  rules  in 
this  appendix.  The  domain  of  pi  is  a  description  of  the  form  a 
request  that  rule  handles  will  take.  The  semantics  of  pi  is  a 
brief  explanation  of  the  situation  that  rule  pi  is  designed  to 
arbitrate.  The  *-property  function  is  a  Boolean  function  which 
specifies  the  conditions  which  must  be  satisfied  before  a  positive 
decision  is  allowed  for  an  untrustworthy  subject--that  is,  a  subject 
in  S'.  If  the  ^-property  does  not  affect  the  rule,  the  *-property 
function  is  listed  as  a  tautology  (always  TRUE)  and  does  not  appear 
in  the  rule  Itself.  Next  the  rule  is  presented  in  an  abbreviated 
functional  form.  Finally,  an  algorithm  for  p..  is  presented.  Any 
unfamiliar  notation  can  be  found  listed  in  the  Notational  Glossary  in 
Appendix  C. 
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Rule  1:  get-read 


Domain  of  p-| :  all  Rk 


Semantic:  Subject  $i  requests  access  to  object 
CL  in  read  (r)  mode. 


‘-property  function: 

o1(Rk,v)  -  TRUE  <=>  [f5(Si)  >  f2(0j)  &  f6(S.)  2  f4(0J)J. 


The  rule: 

r  (?.v) 

(yes,  augb(Rk,v)) 

B,(Rk.v)  --  { 


v  (no.v) 


i f  Rfc  t  domain  of 
if[Rk  e  domain  of 
&  Cr  c  M.j] 

&  Lf1(Si)  >  f2(0j)] 

&  Cf3(s1)  2f4(0j)3 

&  [S1  i  S'  or  °i (Rk»v)]i 
otherwise. 


Algorithm  for  p^ : 


i_f  Rk  t  domain  of  p1  then  p1(Rk,v)  =  (X,v); 
else  if  r  c  M..  j 

and  <[Si  e  S'  and  o.j (Rk,v)] 

or  [S.  t  S'  and  f^S^)  >  f2(0j)  *3^)  -f4^®j)]> 

then  P1(Rjt,v)  -  (yes.  augb(Rk,v); 
else  p, (Rfc ,v)  =  (n£.  v) ; 


( 


Rule  2:  qet-a 


Domain  of  p2:  a11  \  =  (9»S.j  »0j  *a.)  e  Rx  . 

Semantics:  Subject  Si  requests  access  to  object 

0.  in  append  (a)  mode. 

J 

^-property  function: 

o2(Rk,v)  =  TRUE  <=>  [f5(Si)  <  ^(Oj)  4  fg(S1 )  c  f^Oj)] 


The  rule: 


P2(Hk.v)  = 


(2,v)  if  Rk  i  domain  of  p2; 

(yes .  augb(Rk,v))  if  [Rk  e  domain  of  p2] 

4  [a  e  Mij] 

&  [Si  1 1  S'  or  o2(Rk,v)]; 


(no,  v) 


otherwise. 


Algorithm  for  p2: 


rf  Rk  t  domain  of  p2  then  p2(Rk,v)  =  (?.»v); 


else  if  a  c  j 


and  <LSi  e  S'  and  o2(Rk,v)]  or  [S^  t  S'j> 
then  p2(R|c,v)  =  (yes,augb(R[;,v)); 
else  P2(Rk,v)  «  (no.v); 


Pule  3:  get-execute 

Domain  of  p3:  all  Rk  =  (g,S^,0j,e)  e  P>^. 

Semantics:  Subject  S^  requests  access  to  object  Oj 
in  execute  (e)  mode. 

♦-property  function: 

o3(Rk,v)  =  TRUE. 

The  ruie: 


'  (?,v) 

(yes,  augb(Rk,v) 

.>3<iv*)  •  < 


(no,v) 

Algorithm  for  p^: 


if  Rk  i  domain  of  p^; 
if  [Rk  c  domain  of  p3] 
&  [e  c  M1J3s 
otherwise. 


if  Rk  i  domain  of  p3  then  p3(Rk,v)  =  (l.v); 
else  If  e  e  M.j  then  p3(R|c,v)  *  (yes ,augb(Rk>v) ) ; 
else  P3(Rk.v)  ■  (no.,v); 


end; 
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Domain  of  p4:  all  Rk  s  (g,S..,0j,w)  e  R^. 

♦-property  function: 

o4(Rk,v)  =  TRUE  <=>  [f5(S.)  -  ^(Oj)  &  f6(Si)  =  f4(Oj)] 

The  rule: 

"*  (2,v)  if  Rk  i  domain  of  p14; 

(yes,augb(Rk,v))  if  [Rk  e  domain  of  p4] 
P4(Rk>v)  &  [w  e  M1 j] 

'  &  IVV  2  f2(V] 

*  [f3(si)  2  f4(0j)J 

|  &  [Si  i  S'  or  o4(Rk,v)]; 

I  (no,v)  otherwise. 

Algorithm  for  o4: 

If.  Rk  i  domain  of  p4  then  P4(Rk*v)  *  (l,v); 
else  i_f  w  e  j 

and  <[S1  t  S!  and.  f^S.)  >  f2(0j)  VV  - 
or  [S1  c  ■$'  and  o4(Rk,v)]> 
then  P4(Rk,v)  *  (*es.,augb(Rk,v)); 
else  p4(Rl,v)  b  (no,v); 


Rule  5;  rel ease- read/execute/write/ append 
Domain  of  p,-:  all  R.  =  (r,S.,0.,x_)  r.  R^. 

0  1  1  j 

Semantics:  Subject  5^  signals  the  release  of  access  to  object 
Oj  in  mode  x.  where  x  is  r  (read), 
e  (execute) ,  w  (wrl  te) .  or  a.  (append) . 

♦-property  function: 


P5(Rk,v)  *  TRUE. 


The  rule: 


P5(Rk.v)  * 


(yes .dimb(R), ,v) ) 
(?,v) 


if  ^  t  domain  of  pr>; 


otherwise. 


Algorithm  for  pg : 

if  Rk  t  domain  of  p5  then  p^(Rk»v)  =  (£,v); 
else  P5(Rk.v)  *  (yes.  dimb(Rk,v)); 

end; 
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Rule  12:  gi ve-read/execute/wri te/append 

(2) 

Domain  of  p12:  all  Rk  =  (S^g.S^  ,0^ ,x)  e  Rv  1  with  0^  t  0R. 

Semantics:  Subject  S^  gives  subject  S..  the  right  of  access 
to  object  0.  in  mode  x  where  *.  is  r,  w,  or  a.. 

J 

’"'-property  function: 
a12(Rk.v)  =  TRUE. 


The  rule: 


"(2.v)  if  Rk  i  domain  of  p]2; 

(yes .(b.M  «  FxJ^.f.H)) 

P12(Rk.y)  *  IT  [Rk  £  domain  of  p12] 

&  C0s(j)  e  b(Sx:w)]; 
(no,v)  otherwise. 

V  - 

Algorithm  for 

1_f  Rk  /  domain  of  p12  then.  p12(Rk,v)  =  (£,v); 
else  if  O-^jj  e  b(Sx:w) 

then  Pi2^Rk*v^  =  ^yes‘  (fc*M  *  j  *fr»H) ) ; 
else  p12(Rk.v)  =  (no,v); 
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Algorithm  for  p^: 

jf,  Rk  l  domain  of  p13  then  P-|3(Rk.v)  *  (2,v); 
else  vf  0s^j ^  c  b(S^:w)  then 

p13^Rk*y)  *  ^yes  ■  "  <(si  8  CxJ^jJ.H)) 

else  o13(Rk.v)  -  (no,v); 

end; 
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Rule  14:  create-object 


Domain  of  p 


14- 


an  Rk  =  (Si,Oj,Cu,Q,x)  C  R(3)  with  0.  t  0R. 


Semantics:  Subject  requests  the  "creation"  (i.e.,  attachment) 
of  an  object  directly  below  object  0,.  The  new  object  is 

J 

to  have  classification  Cu  and  category  set  Q.  If  x  =  e, 
Si  wishes  to  be  given  £,  e,  w,  and  a  access  to  the  new  object; 
if  x  "  i*  S.  wishes  only  jr,  w,  and  a.  access. 

^-property  fun.  ion: 

°14(Rk’v)  =  TRUE* 

The  rule: 

(?_,v)  if  i  domain  of  p14; 

(yes  ,(b ,M  6  *t(  j  ,M)  *al  (®x(j  ’®1  (^j 

if  [Rk  3  (S^Oj.Cy.Q,*)  e  R(3)] 
&  [0^  £  b (S^  ]  * 

(yesf(bfM  %  [r,efwfa3i^T(^M),ai(0T(jtM) 

if  [Rk  -  (S^Oj.Cy.Q.e)  e  R(3)] 

&  [Oj  e  b(S1  :w,a)] ; 

.  (no,v)  otherwise. 


Pl4(Rk,v)  -  I 
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Algorithm  for  p^: 

1f_  Rj.  i  R^,  the  domain  of  p^4,  then  P^(Rk*v)  =  (?_,v); 
else  if  0i  c  b(S.:w,a)  then 
do; 


end; 


4>  =  (r.w.a}; 


if  x  '  e  then  $  *■-  $  u  {e } ; 

e„("k.v)  ■  «  W)(t(j#N).«,(Ot(J 


iH,.f.CuiQ)i61(0ilHiM)) 


end; 

else  p14(Rr,v)  =  (no.v) ; 
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Rule  16: 


!rvmq  compatlDi 


Domain  of  p^:  all  Rk  =  (S.  ,Ch  c  R'  '  with  0^  t  0R. 

Semantics:  Subject  requests  the  "creation"  (i.e.,  attachment) 
of  an  object  directly  below  object  0j.  The  new  object  Is 
to  have  classification  Cu  and  category  set  Q.  S  wishes 
to  receive  access  attributes  r  w,  and  a_  to  the  new  object. 

S  also  wishes  e  access  if  x  =  e. 

i  ”  ~ 

♦-property  function: 

VRk,v)  =  TRUE- 

The  rule: 


(?_;V)  if  Rk  i  domain  of  p^; 

(yes t(b,M  6  ( j «aT (^T{ j »^*^U»Q) »6-| (0j ,H ,M) ) 

If  [Rk  •  (Si.Oj.Cy.Q.O  e  R(3)] 

&  [Oj  e  b(S1:w.a)] 

P16(Rk.v)  =  <  4  Cf2(0j)  <  Cu  and  f^Oj)  9  Q]; 

(yes* ( b #  Cx.*— *J£i t T( j  t»n)  *ai ( j  tf.<)  »f  ) 

if  [Rk  =  ,0j  »Cu,Q,e)  c  R(,))] 

&  [Oj  e  b(Si  :w ,a_) ] 

&  C f 2 ( 0 j )  5  cu  and  VV  ^  Q]l 


(no.v) 


otherwise. 


Algorithm  for  p^: 


If.  Rk  t  R^,  the  domain  of  p^,  then  p^(R^,v)  =  (?.,v); 
else  if  Oj  e  b(S^:\v,a^)  then 
do; 

<■  =  {£,w,a.};  *, 


if  x  =  e  then  4>  -  $  u{e.) ; 


P16(Rk>^  =  (yes,(b,H,  6 
end; 

else  o16(Rk.v)  =  (no.v); 


,r(j,M)*ai(0 


T(j,M)’f*Cu’Q)*el{0j*H*M)) 


end; 
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Rule  17:  change-securi ty-level 


Domain  of  p1?:  all  RR  *  (S^.C^.Q)  c  RV3'. 

Semantics:  Subject  Si  requests  a  change  in  his  current  security  level 
(that  is,  his  f£  and  fg  values)  to  Cy  and  Q. 

♦-property  function: 


P17(Rk,v)  =  TRUE  <=>  [f1(Si)  >  Cu  and  f3(S.)2Q] 

&  [0  c  bfS^a)  =>  Cy  <  f2(0)  and  Q  c  f4(o)  ] 

&  [0  e  b(S.:w)  ->  Cu  =  fg(0)  and  Q  -  f4(0)  ] 

&  [0  e  b(S.:r)  «>  Cu  >  f2(0)  and  Q  ?  f4(0)  ]. 

The  rule: 


ri^.v)  if  Rk  i  domain  of  p17; 

I  (yes.(b.M.a:,(f.S.  ,CU,Q).H))  if  [Rk  e  domain  of  p]7] 
17(Rk*v)  =  S  &  [S  .IS'  or  °17(R|c»v)]; 


(Jno.v) 


otherwise. 


Algorithm  for  p -j 7 : 

\±  Rk  i  domain  of  p17  then  p17(Rk,v)  =  (?_,v); 

else  if  [S.  i  : s'  or  o17(Rk,v)]  then.  p17(Rk,v)  *  (yes.Cb.M.aoCf.S^C^Qhn)) 
else  p17(Rk,v)  •  (no,v); 

end; 
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APPENDIX  B 


PROOFS  OF  THE  RULES 

In  this  app.r.dix  are  gathered  all  new  proofs  for  the  various 
rules  of  Volume  III.  The  proofs  of  the  **ules  contained  in  Volume  II 
are  not  included  here.  Since  the  proof  that  rule  is  security¬ 
preserving  is  contained  in  Proposition  5.1,  it  is  omitted  here. 

For  rule  12,  the  full  justification  of  the  correspondence 
between  the  functional  specification  of  the  rule  and  its  algorithm 
is  given  in  full  to  indicate  the  form  such  a  verification  takes. 
Similar  demonstrations  for  the  other  rules  are  omitted. 

Proposition  B.O:  A  rule  p  preserves  ^-property  relative  to  S’ 
if  the  following  implication  is  valid: 

if  v  =  (b.M.f.H)  satisfies  *-property  relative 

to  S' ;  p(Rk,v)  =  (Dm,v*) ; 
v*  -  (b*,M*,f,H*);  H*cHM;  and 
(S. ,0, ,x)  e  b*  -  b,  then 

*  J 

S  t  S'  or  0.  satisfies  the  first,  second, 

yJ 

or  third  ^-property  condition  as  x_  is  a_,  w,  or  r. 

Proof:  Assume  the  Implication  is  valid.  Let  S  c  S'  and 
suppose  0  e  b*  (S:  a.,w,£). 

If  0  e  b*  (S:  aj,  then  either  0  t  b(S:a)  or  (S,0,aj  e  b*  -  b. 
In  either  case,  the  first  *-property  condition  holds,  either  by  the 

assumption  on  v  or  by  the  Implication. 
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Similarly,  if  0  e  b1*  (S:  w)  (respectively,  b*  (S : r.) ) *  then 
either  0  e  b (S :  w)  (respectively,  b($:  r))  or  (S„0,w)  e  b*  -  b 
(respectively,  (S,0,£)  £  b*  -  b).  Again  in  either  case,  the 
second  (respectively,  third)  ‘-property  condition  holds,  either  by 
the  assumption  on  v  or  by  the  implication. 

Since  the  definition  of  ‘-property  is  satisified,  v‘  satisfies 
•-property  as  claimed. 

Proposi tion  B.  1 :  Rules  1,  2,  and  4  preserve  ‘-property 
relative  to  S' . 

Proof:  Let  u  =  1,  2,  or  4  and  X]  =  =  w,  and  -  jr . 

Suppose  v  =  (b,M,f,H)  satisfies  ‘-property  relative  to  S'; 
pu  ^Rk,v^  =  ^Dm*  v*);  and  v*  “  (b‘,M*,f*,H‘).  By  Proposition  B.O, 
it  suffices  to  show  that 

(1)  f*  •  f; 

(2)  H*  e  and 

(3)  (S.  ,0.,x)  e  b*  ■  b  Implies 

•  J 

S ,  i  S'  or  0.  satisfies  the  appropriate 

J 

‘-property  condition. 

But  by  pu,  v*  *  v  or  aug  CRk » v)  so  that  in  either  case 
f *  *  f  and  H*»  H  e  Now  b‘  f  b  iff  v*  =  aug  (R^.v).  Hence 
b*  f  b  Implies  b*  -  b  «  {(S^.Oj.x^)}  where  Rk  s  (g,  S^Oj.x^). 

If  c  S',  then  since  v*  =  aug  (R^.v),  <ru(Rk»v)  ■  TRUE,  which 
is  by  definition  equivalent  to  the  appropriate  ‘-property  condition. 


Thus  by  Proposition  B.O,  v*  satisfies  ''-property  relative  to  5'. 

Proposition  B.2:  Rules  3,  5,  12,  13,  14,  15,  and  16  preserve 
♦-property  relative  to  S’. 

Proof:  This  proposition  follows  directly  from  Proposition  B.O. 
For  rules  5,  12,  13,  14,  15,  and  16,  the  premise  (S^O^.x.)  e  b*  ~  b 
of  the  implication  above  is  never  true  so  that  the  implication  itself 
is  trivially  true.  Hence  the  listed  rules  do  indeed  preserve 
♦-property  relative  to  S'.  For  rule  3,  b*  -  b  f  *  implies 
b*  -  b  =  ((S,,0,,e)}  so  that  the  conclusion  of  the  implication  is 

*  J 

vacuously  true.  Hence  rule  3  also  preserves  the  *-property  relative 
to  S'. 

Proposition  B.3:  Rule  12  is  security-preserving. 

Proof:  If  v  *  (b.M.f.H),  v*  =  (b*,M*,f*,H*)  and 
p  1 2  (\»v)  =  (Dm,v),  then  b*  =  b  and  f*  =  f.  If  v  is  secure, 
every  (S^.O^.x)  in  b  =  b*  satisfies  SC  rel  f  (hence  SC  rel  f*). 
Thus  v*  must  be  secure. 

Proposition  B.4:  The  listed  algorithm  calculates  p^p. 

Proof: 

(I)  Let  i  R^.  The  condition  on  line  1  of  the 
algorithm  Is  satisfied,  so  that  3-|2^Rk,v^  Is  set  equal  to  (l»v) 
as  desired  and  the  algorithm  terminates  in  this  case. 

(II)  Let  Rk  ■  (S^.r.S^  ,Oj,x)  e  R^.  The  condition  of  line  1 
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is  not  satisfied  so  line  2  is  used.  The  condition  of  line  2  is 


satisfied  so  that  ^ 1 2 ^ Rk • v ^  is  set  e<lual  t0  (I.»v)  a£  desired;  the 
algorithm  terminates. 

(iii)  Let  Rk  ■  (Sx ,g,Si ,0j ,x)  e  R^  and  let  w  e  H 

The  conditions  on  lines  1  and  2  are  not  satisfied;  line  3  is  used. 

The  condition  of  line  3  is  satisfied  and  pj2(Rk»v)  is  set  e<lual  t0 

(yes,  (b,  M  #  [xj.^,  f»  H))  as  desired.  The  algorithm  terminates. 

(iv)  Suppose  none  of  the  conditions  of  (i),  (ii),  or  (iii)  hold. 

The  condition  of  line  1  cannot  be  satisfied  since  (i)  doesn't  hold. 

The  condition  of  line  2  cannot  hold  since  (ii)  doesn't  hold.  Since 

(iii)  doesn't  hold,  the  condition  on  line  3  is  not  satisfied  so  that 


line  4  of  the  algorithm  is  invoked,  setting 


(Rk.v)  equal  to  (no,  v) 


as  desired.  The  algorithm  terminates. 


Proposition  B.5:  Rule  13  is  security-preserving. 

Proof:  Let  v  =  (b,M,f,H),  V  ■  (b*,M*,f*,H*) ,  and 

p13^Rk,v^  =  By  rule  b*  -  b  and  f*  ■  f.  Hence  if  v 

is  secure,  v*  is  secure. 


Proposition  B.6:  Rule  14  is  security-preserving. 

Proof:  If  v  ■  (b.M.f.H),  v*  •  (b*,H*,f*,H*),  and 
P14(Rk,v)  “  (Dm’v*)»  then  b*  “  b  and  f*  *  provided 
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Rk  -  (Si,Oj>Cu,Q,x)  c  R^  and  f*  =  f  otherwise.  Since  f*  and  f 
agree  on  subjects  and  on  active  objects,  v*  Is  secure  provided  v 
Is  secure. 

Proposition  B.7:  Rule  15  is  security-preserving. 

Proof:  If  v  =  (b.M.f.H),  v*  =  (b*,M*,f*,H*) ,  and 
P15(Rk.v)  *  (D^v*).  then  b*c  b  and  f*  *  f.  Thus  v*  is 
secure  provided  v  is. 

Proposition  B.8:  Rule  16  is  security-preserving. 

Proof:  See  Proposition  5.1,  page  33. 

Preposition  B.9:  Rule  17  is  security-preserving,  and  preserves 
the  *-property  relative  to  S', 

Proof:  If  v  s  (b,M,f,H),  v*  =  {b*,M*,f*,H*} ,  and 

p17  ^Rk,V^  =  then  b*  *  b  and  f*  *  f  Or  a2(f,Si ,Cu,Q). 

In  either  case,  neither  b  nor  the  values  of  f 1 ,  f2,  f3>  or  f4  have 
changed  so  that  security  Is  preserved. 

If  f*  =  f  or  If  t  S',  t^en  It  Is  Immediate  that 
preserves  ^-property  relative  to  S'  by  Proposition  B.O.  If  f*  f  f 
and  S1  c  S' ,  then  f*  -  *2(f *S1 'Cu,Q)  c  Rk  e  domain  of  p1?,  and 
al7(Rk,v)  s  true.  Clearly  f*  e  F  since  fg(Si)  <  f^(S1 )  *  f1(Si)  and 
VS1}  -  Q  *  f^s^  by  the  first  condition  of  P]?. 
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Moreover, 

0  e  b*(Si:a)  =  bfS^a)  *>  [f*(0)  =  f2(0)  i  Cy  =  f*(S1 ) 

&  f*(0)  =  f4(0)  2  Q  =  fg(S.)]; 

0  c  b*(S.j  :w)  =  b(Si  :w)  »>  [f*(0)  -  f2(0)  =  Cy  *  f*^) 

&  f*(0)  -  f4(0)  -  Q  *  f *($.)];  and 

0  e  b*(S.:r)  =  b(S.:R)  *>  [fj(0)  «  f2(0)  <  Cu  -  f*(S1) 

&  f*(0)  •  f4(0)S  Q  =  f*(S.)]. 

Thus  if  v  satisfies  *-propeKy  relative  to  S’,  then  v*  satisfies 
^-property  relative  to  S'.  Hence  also  preserves  the  *-propert> 
relative  to  S'  and  the  assertion  is  proved. 
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APPENDIX  C 


NOTATIONAl  6L OSSARY 

In  this  appendix  are  listed  the  major  notations  used  in  the 
Secure  Computer  Systems  series.  There  are  three  1ists--a  Roman 
alphabet  list,  a  Greek  alphabet  list,  and  a  symbol  list.  Each 
entry  has  a  brief  description  of  the  concept  involved  and  a 
reference  to  the  principal  appearances  of  the  notation  in  the 
three  volumes.  A  reference  is  in  the  form  (n.;  02;  n^)  where 

is  a  page  number  in  Volume  I,  nj  is  a  page  number  in  Volume  II, 
and  is  a  page  number  in  Volume  III. 

Roman  Alphabet  List 

append  the  alter-only  attribute  in  the  set 

of  access  attributes.  (-;  22;  11) 

A  the  set  of  access  attributes. 

{-;  22,11) 

A(M)  the  set  of  active  object  indices; 

{j:  1<,  j  <  m  and  f  $  for  some  i}. 

_ (-;  39;  -) _ 

augb(Rk,v)  denotes  the  addition  of  the  triple 

specified  by  Rfc  to  b;  if  Rk  =  (g.S^Oj.x) 
and  v  =  (b,M,f,H),  then 


augb(Rk,v)  ■  (bu{(SjOj,x)\M,f,H). 
38;  -) 


c,  control 


dimbCR^.v) 


a  record  of  curtent  access;  a  subset 

of  P(S  x  0  x  A).  (17 ;25 ;- ) 

the  set  of  objects  0  accessed  by  S 

in  mode  x  or  £  or  .  .  .  or 

according  to  b;  {0;  0  c  ()  and 

[(S.O.x)  e  b  or  .  .  .  or  (S,0,z)<b]}. 

(-;27;~) _ 

an  element  of  RA  denoting  "create." 

(-;22;-) _ 

the  control  attribute  in  the  set  A  in 
Volume  II.  (-;22;-) 
the  set  of  classifications.  ( 1 4 ;22 ;- ) 
an  arbitrary  classification  from  the  set 

C.  (14;22;-) _ 

an  element  of  RA  denoting  "delete." 

(-;22-,-) _ 

the  set  of  decisions.  (15;23;-) 
an  arbitrary  decision  from  the  set  D. 

(15;23;-) _ 

denotes  the  deletion  of  the  triple 
specified  by  R^  from  b;  if 

Rk  *  (r*si»°j’-^  and  V  =  then 

d1mb(Rk,v)  *  (b  -  {(S^.Oj.x.)},  M,f,H). 

(-;38;-) 
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e,  execute 

the  execute  attribute  in  the  set  A 

of  access  attributes:  it  implies 

neither  the  ability  to  read  the 

object  nor  the  ability  to  alter 

It.  ( - ;  1 2 ,22  ;1 1 ) 

E(H) 

the  set  of  edges  implied  by  the 

hierarchy  H;  {(Oj.O-),  e  0  and 
0?cH(01)}.  (-;-;9) 

error 

a  decision  used  to  coordinate  a 

set  of  rules.  (-;13;-) 

f.  f* 

a  classification/category  vector 

from  the  set  F.  ( 1 5 ;23 ) 

F 

C5  »  C°  *  (PK>S  *  (PK)°  x  0s  *  (PK)5. 

(15;23;19) 

fl »f2»f3,f4,f5,f6 

components  of  a  vector  f  from  the 

set  F.  (15;23;19) 

9 

an  element  of  RA  denoting  "give" 

or  "grant.”  (- ;22;-) 

9l 

a  partial  function  from  S  *  V  to  C 

denoting  the  highest  classification  of 
any  object  currently  accessed  by  a 
subject  in  write  mode  in  a  given  state; 


g^(S,v)  =  max{f2(0):  (S,0,w)  e  b}. 

(-;-;l4) 

92 

a  partial  function  from 

S  x  V  to  PK  denoting  the  smallest 

category  set  containing  the  category 

set  of  each  object  currently 

accessed  by  a  subject  in  write  mode 

in  a  given  state; 

g2(S,v)  =W{f4(0):  (S,0,w)  e  b}. 

14) 

G(H) 

the  digraph  canonically  generated 

from  a  hierarchy  H;  G(H)  «  (0,  E(H)). 

9 ) 

H 

a  hierarchy  from  the  set  H  of 

hierarchies.  (-;-;8) 

H 

the  set  of  hierarchies;  H  e 

if  (1)  0,  1  02  *>  H(01 ) oH(02)  »  4. 

and  (2)  there  does  not  exist  a  set 
{0^ ....  .0^)  such  that  0^  e  H(0r) 
where  1  <  r  <  w  and  0^  *  0^ . 

S) 

hm 

the  subset  of  H  consisting  of 

hierarchies  H  with  the  vertices  of 

Its  tree  being  precisely  the  active 

64 

objects;  {H  c  K: 

H“'(*)  -UH(0)  =  {Oy.  j  i  A(M) }}. 

(-;-JQ) _ 

a  partial  function  from  S  *  V  to  C 
denoting  the  highest  classification 
of  any  object  currently  accessed  by 
a  subject  in  read  mode  in  a  given  state 
h.|(S,v)  =  max{f2(0):  (S,0,r)  e  b). 

(-;-;)*) _ 

a  partial  function  from  S  *  V  to  PK 

denoting  the  smallest  category  set 

containing  the  category  set  of  each 

object  currently  accessed  by  a  subject 

in  read  mode  in  a  given  state; 

h2(S,v)  «tXf4(0):  (S.O.r)  e  b). 

_ 

a  decision  used  to  eliminate  the 

decision  and  to  make  a  set  of  rules 

covering.  (-;13;-) 

the  category  set.  (14;22;-) 

a  category  from  the  set  K.  (14;2?;-) 

an  access  matrix  from  the  set  of  all 

access  matrices;  an  n  *  m  matrix  with 

entries  from  PA.  (16 ;24 ) 
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'V 


no 

a  decision  from  the  set  D. 

(~;13;~) 

0,0j,0k*°l,02 

an  arbitrary  object  from  the  set  0 

of  objects.  (14; 22 ; - ) 

0 

the  set  of  objects.  ( 1 4 ;22 ;- ) 

Pa 

the  power  set  of  Pa;  the  set  of 

all  subsets  of  0.  (15;-;-) 

Q 

an  arbitrary  category  set  contained 

in  K.  ( — ;— ;  33 ) 

r 

an  element  or  RA  denoting  "release" 

or  "rescind."  (- ;22 ;- ) 

r,  read 

the  see-only  attribute  in  the  set  A 

of  access  attributes.  (-;12,22;11 ) 

R 

the  set  of  requests;  in  Volume  III, 

the  disjoint  union  of  the  sets 

R(1).  R(2*,  R(3^,  and  R(5). 

(15;22;-) 

RA 

request  elements;  C g ,  r,  c,  d}  in 

Volume  II  and  {g,  r}  in  Volume  III. 

(-;22;12) 

Rk 

an  arbitrary  request  from  the  set  R. 

( 1 5 ;22 ;-) 

r(D 

RA  x  S  x  o  «  A.  (-;-;!!) 
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R'  ' 


Rv; 

S  *  RA  x  s  x  0  x  \  (-*,-.11  ) 

*«» 

S  *  0  «  C  *  PC  »  X.  (-;-:ll ) 

R<4> 

S  x  0.  1 ) 

r(5) 

S  x  c  x  PK.  ) 

s(j) 

the  index  of  the  object  directly 

superior  to  a  noninitial  object  in 

a  hierarchy;  s(j)  =  {k:  0j  e  H ( 0^ ) } . 
(-;-;43) 

S,Si ,SA 

an  arbitrary  subject  from  the  set  S. 

(14;22 ;-) 

S 

the  set  of  all  subjects.  (14 ;22 ;- ) 

.s' 

a  subset  of  S  which  represents  the 

untrusted  subjects;  S'  £  S.  (-;-;25) 

S+ 

the  augmentation  of  S  by  the  element 

+;  S+  =  S  u  {*>.  ( - ; 22 ;- ) 

SC  re 1  f 

the  security  condition  relative  to  f; 

a  per-subject  condition  for  security. 

(-S26;-) 

T 

the  time-index  set.  (15;23;-) 

t 

an  element  of  T;  a  time.  (15;23;-) 

U 

P1 

sets  whose  vacuity  imply  the  presence 

of  the  ^-property;  used  in  the 

statement  of  the  rules  in  Volume  II. 

_ (-i39;ZZ) _ 
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V 


an  element  of  the  set  V  of  all 
states.  (17; 24 ; T 1 ) 


V  the  set  of  all  states; 

VcP(S  *  ()  *  A)  x  M  x  F  x  H, 

H  c  Hm,  (16  ;24 ; 1 1 ) 

w,  write  the  see-and-alter  attribute  in  the 

set  A  of  access  attributes.  (-;12,22;n) 
W(w)  the  relation  generated  by  a  set  u 

of  rules.  (- ;28 ; - ) 

x  a  request  sequence  from  the  set  X. 

(16;23;-) 

x  an  arbitrary  access  attribute  from 

the  set  A.  (- ;26 ;-) 

X  the  set  of  request  sequences; 

RT.  (16 ;23;-) 

xt  the  t-th  request  in  the  sequence  x. 

_ (16;23;-) _ 

y  a  decision  sequence  from  the  set  Y. 

0  6;23;- ) 

-  - 

Y  the  set  of  aecision  sequences;  D  . 

_ (16;23-,-) _ _ 

yes  a  decision  from  the  set  D.  (-;13;-) 

yt  the  t-th  decision  in  the  sequence 

y.  (16 ;23 ;-) 
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8 


1 


e2 


Y 


A 


] 


(3 1 :  0  *  H  *  Al  -*•  H;  =  H*  c  H 

where  H*(0)  ■  H(0)  if  0  t  0^  and 
H*(0j)  »  H(0j) U {0T( j ) »  B1  att0ches 
the  "first"  inactive  object  to  0. 

J 

In  the  hierarchy  H.  (-;-;33) 


e2:  0  X  H  -  Hi  62(0j,H)  ■  H*  E  h 

where 


f  H(0) 


H*(0)  =/ 


{°j}  if  °  =  °s(j) 

if  there  is  a  set 

{0-j ,  .  .  .  t  0^} 

with  0i+1  e  H(01 ' 
for 


1  <  i  <  w,  Oj  =  0 


and  0  -  0,„ 

w 

k  H(0)  otherwise; 

C2  removes  the  subtree  rooted  at  0^ 
from  H.  ;47) 

an  arbitrary  element  of  RA.  ( - ; 38 ; - ) 
*  (k:  there  exist 
1  <  u0,  .  .  .  ,  uw  <  m  where 
uQ  =  j,  uw  =  k  and  0Vi  e  H(0U_) 
for  0  <  i  <  w).  (-;-;66) 
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A2 

A2(j,b}  =  b  -{(S.,Ok,x): 

1  <  i  <  n,  k  e  Aj ( j  ,H) , 

x  c  A}.  ;47) 

A3 

A3(j,M)  -Me  [r.e.w.a]  .  » 

e 

See  the  Symbol  List. 

p.  Pi 

a  rule;  p:  R  x  V  D  x  v.  (-;27;-) 

°1»  °2 

arbitrary  elements  of  S+  in  Volume  II. 

( - ;38 ;  — ) 

°i 

♦-property  functions  in  Volume  III. 

;37) 

i(R,D,W,Zq) 

the  system  under  investigation; 

Z(R,0,W,Zq)  9  X  x  y  x  Z  with 
(x,y,z)  e  r(R,D,W,z0)  if 
(xt,yt,zt,zt_1 )e  W  for  each  t  e  T. 
f 1 7 ;25 ;— ) 

tCJ.m) 

a  function  to  identify  a  unique 

inactive  object  index;  for  specificity, 
x(j,M)  was  defined  to  be 
min{k:  j  <  k  <  m  and  k  i  A(M) } . 
(-;-;33) 


See  the  Symbol  List. 

a  subset  of  A.  (- ;38 ;45) 

X 

an  arbitrary  element  ofX*  (-;-;48) 
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a  state  satisfying  *-property 

(relative  to  some  S')  from  any  state 

satisfying  the  same  property.  ( - ;28 ; - ) 

^-property  relative  to  S' 

a  property  of  a  state  which  does  not 

allow  the  possibility  of  improper 

mixing  of  classified  information  by 

any  subject  in_  the  set  S_J_;  the 

Volume  III  replacement  for  "^-property." 

(-.-.25) 

l 

a  decision  used  to  coordinate  a  set 

of  rules.  (-;13;-) 

♦  .  * 

the  empty  set 

«3f 

the  ordering  of  objects  implicit  in 

the  functions  f2  and  f^;  01  02  <=> 

W  £  W  and  f4^°i )  ~  f4(°2>  • 
(-.-.28) 

• 

a  symbol  used  in  describing  additions 

to  an  access  matrix  M;  M  •  is 

the  matrix  M*  where 

r  Mst  if  (s,t)  *  (i  ,j) 

LMstu«>  if  (s»t)  =  (i,j). 
(-;39;-) 
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a  symbol  used  In  describing 
deletions  from  an  access  matrix 
M;  M  g  is  the  matrix  M** 

wher'e 


★  * 


M$t  If  (s,t)  t  (l,j) 

Mst  -  ♦  if  (s.t)  -  (i,j). 
(—  *39;—) 
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